Slashdot Mirror

What concerns me is that in the last two years I've heard no news about a replacement for SHA-1.

WTF? Have you been living in a cave or something?

Crypto mailing lists, newsgroups, and discussion forums talked about almost nothing else for about six months following the announcement that SHA-1 had been broken.

Even the US government, which moves at the speed of a glacier, proposed replacements for SHA-1 in FIPS back in March last year.

http://csrc.nist.gov/publications/drafts.html

>Bullshit propaganda
>This is total crap.
>Chinese propaganda.

Published research, reviewed and confirmed by other cryptographers. Check the archives of any crypto mailing list.

The NIST has started a hash function working group to replace SHA-1.

"it is clear that it will be necessary to [move away from SHA-1] in the not-too-distant future", according to the Bellovin-Rescorla paper about the impact of cracks of hash functions.

A work factor reduction to on the order to 2^63 operations puts SHA-1 collision generation into the realm of possibility. 2^80, which people used to believe was the number of trials needed to generate an SHA-1 collision, would have been out of reach for decades.

There was a paper published about this years ago. The title of the paper is: Penetration Analysis of a XEROX Docucenter DC 230ST: Assessing the Security of a Multi-purpose Office Machine. link PDF Warning

Shameless self promotion:
http://csrc.nist.gov/nissc/2000/proceedings/papers /034.pdf

Penetration Analysis of a XEROX Docucenter DC 230ST:. Assessing the Security of a Multi-purpose Office Machine.

Basically, there were many physical and network vulnerabilities that were of concern without even getting to a remote code execution problem.

Enjoy!

The answer is simple.

Proprietary closed source software cannot be validated. You cannot trust that it will always work properly, because the source is not available for validation.

http://www.fda.gov/cdrh/comp/guidance/938.html

http://standards.ieee.org/catalog/olis/se.html

http://hissa.nist.gov/HHRFdata/Artifacts/ITLdoc/23 4/val-proc.html#233_SEC

http://www.access.gpo.gov/cgi-bin/cfrassemble.cgi? title=200621

Software pricing has nothing to do with it. The validation process in regulated environments will cost many times more than the actual value of the software itself. The cost of the actual software is trivial.

Closed source software has no future in regulated, mission-critical applications.

Belief and faith are irrelevant.

*ahem*

You know those imperial units you love to use? Their official definition is actually in metric. America has been on-board with metric for a long time, and you are allowed to use it in trade & commerce (and is often used -- buy a 2 liter bottl of pop recently?). American Imperial is just a special case of metric. ;-)

(sadly, this post will get ignored because it's Saturday and at the end of a 900+ message thread :-))

Well, it was passed into law in August of 2005, so it's been around for a while. Here's a link to the relevant bits. Following is the relevant changes:

        * In 2006, DST will begin at 2 a.m. on the first Sunday of April (April 2, 2006) and Standard Time will begin at 2 a.m. on the last Sunday in October (October 29, 2006), as under the current rules.

                        * However, beginning in 2007, DST will begin at 2 a.m. on the second Sunday in March (March 11, 2007) and Standard Time will begin at 2 a.m. on the first Sunday in November (November 4, 2007).

News to me. Got links or references to share on that? If it hadn't been for this story, I'd have not known about that, thanks.

* In 2006, DST will begin at 2 a.m. on the first Sunday of April (April 2, 2006) and Standard Time will begin at 2 a.m. on the last Sunday in October (October 29, 2006), as under the current rules.

        * However, beginning in 2007, DST will begin at 2 a.m. on the second Sunday in March (March 11, 2007) and Standard Time will begin at 2 a.m. on the first Sunday in November (November 4, 2007).

Whats' the point of having a National Institute of Standards then? When Australia converted back in the 70s, after a couple of years of soft conversions, the Bureau of Weights and Measures simply mandated that scales for measuring goods had to be metric only. You couldn't buy a government certified scale in pounds and use it in a shop (you could get a ktchen scale, of course, if you really wanted). And shops have to have certified scales. Once you take away the crutch of having the imperial units you soon adapt.

The push for the metric system in the US goes long before that -- try early 1800's

If you trust NIST, that is:
http://ts.nist.gov/WeightsAndMeasures/Metric/lc113 6a.cfm

You say it amuses you that Americans like to keep the imperial system but then go on to show that the one system is linked to the other

Um. Imerial measurements are more like "hm. This is the size of a thumb. And that's the size of my foot." which is actually quite variable. The metric system is created with the idea to use a base that isn't variable. (as the speed of light.) Ofcourse, now you have agreements of how long one or the other is making it an common system (my foot is larger then yours. Whose measurements are we going to take?) but the irony remains that it's based on the metric system to define it.

The meter is the length of the path travelled by light in vacuum during a time interval of 1/299 792 458 of a second
As a kilo is a cubic decimeter or 1 liter of water.
100C = boiling point of water
0C = melting point of water
and so on

In my experience, most Americans under 30 can't even convert from miles to yards. Yes all systems of units are arbitrary conventions, but some of them are better designed than others. You don't need a calculator to find out how many centimeters are there in 174.56 m. That makes it particularly well suited for every day use. By the way, the eV is as much of a metric system unit as the degree Celsius. See this.

http://www.ijcai.org/papers07/Papers/IJCAI07-259.p df

While IJCAI is a prestigious conference, and the results may be sound, the claims as to the applicability to spam filtering are bogus. The paraphrasal of how state-of-the art filters work is wrong, and there's no evidence that better word associations translate to better spam filter accuracy. None at all.

Should the authors wish to show applicability to spam filtering, they should do so using the TREC Spam Track methodology and datasets. http://trec.nist.gov/data/spam.html

The call for participation in TREC 2007 is currently open: http://trec.nist.gov/call07.html Nothing at all prevents a TREC participant from submitting a filter that includes a copy of Wikipedia, if they feel it would help.

http://www.ijcai.org/papers07/Papers/IJCAI07-259.p df

While IJCAI is a prestigious conference, and the results may be sound, the claims as to the applicability to spam filtering are bogus. The paraphrasal of how state-of-the art filters work is wrong, and there's no evidence that better word associations translate to better spam filter accuracy. None at all.

Should the authors wish to show applicability to spam filtering, they should do so using the TREC Spam Track methodology and datasets. http://trec.nist.gov/data/spam.html

The call for participation in TREC 2007 is currently open: http://trec.nist.gov/call07.html Nothing at all prevents a TREC participant from submitting a filter that includes a copy of Wikipedia, if they feel it would help.

First, this isn't blur, it's pixelation, with big pixels. That's not the same as blur. True blur, like Gaussian blur in Photoshop, doesn't actually destroy that much information. After Gaussian blurring, each pixel has a unique value, but it's a linear combination of values from nearby pixels. There's almost as much information as before blurring; the only true losses are from rounding. That's a reversible process.

Pixelation, though, substantially reduces the amount of information in the image. Before, each pixel had a unique value. After, only each square has a unique value. So information really has been destroyed. However, if, after pixelation, the target object to be identified still has several pixels, some kind of attack might work. You need to use big enough pixel blocks that multiple target objects (like three or more letters or numbers) map to a single block. Of course, visually this will lose you the "there's sort of some number there but I can't make it out" look.

Pixelation with some crypto-grade noise added would probably solve the problem. (Remember, if the attacker can predict the noise algorithm, it doesn't help.)

As others have pointed out, the hard drive manufacturers are following the proper convention, and in fact (if you look into the history), HD manufacturers have been using the "factor of 1000" convention since the very beginning (since the first magnetic platters, really).

The confusion is created because people designing memory (which is naturally layed-out in powers of 2) co-opted the SI prefixes (kilo, mega, giga, etc.) to describe sizes, but redefined them as "1024" (being a power of 2) instead. This is in complete contradiction to the well-established (and much older) SI unit conventions, where kilo, mega, etc. are always well-defined in terms of factors of 1000.

In order to cut down on the confusion, international bodies suggested that new prefixes ("kibibyte", "mebibyte" etc. ... which mean "kilo-binary" and "mega-binary" and so on) be used when one is using the binary ("1024") convention. This suggestion was ratified by, and accepted by IEC, IEEE and NIST (U.S. National Institute of Standards and Technology).

An excellent explanation, with pointers to the appropriate IEC and IEEE documents can be found on Wikipedia. Note that this convention was ratified in 1999! It's been over 7 years and people are still abusing the terminology!

As a scientist, I've always hated the confusion and ambiguity caused by using the SI prefixes to mean two different things. We have a proper convention in place, now it's time for people to use it constantly and consistently! The hard drive manufacturers are doing it the "right way"... it's time for others to follow suit. In particular, the operating system should be reporting sizes properly in "KiB" (kibibytes, 1024 bytes) or "kB" (kilobytes, 1000 bytes) consistently. I know that, for instance, Konqueror in KDE does this the right way... but I think Windows Explorer still does not.

As geeks on Slashdot we need to spread the word!... or at the very least not comit this age-old mistake.

Kilobyte = 1000 bytes
Megabyte = 1000 kilobytes
Gigabyte = 1000 megabytes
Terabyte = 1000 gigabytes

1024 Byte = 1 Kibibyte
1024 KiB = 1 Mebibyte
1024 MiB = 1 Gibibyte

http://physics.nist.gov/cuu/Units/binary.html

If the collisions from the aircraft and the subsequent fire aren't enough to remove almost all the strength from the entire structure of the building, that means something else did. And for that, the most reasonable, plausible explanation I've ever heard is some sort of manual intervention. In other words, controlled demolition.

The federal government has used certification programs like FIPS, Common Criteria, and others to give agencies choices in what they can buy to improve their own security. However the biggest problem is that most branches don't take advantage of the technology because either they don't want to fund it, or don't understand the importance of how vulnerable they may be. Some parts of the government are ridiculously advanced with their security standards and practices, but it's absolutely woeful how other departments lag behind, like Education, HUD, and others.

What really needs to be done is something more streamlined and efficient to get technology certified faster and according to the right standards. Take a look at the FIPS 140-2 standard if you can survive the mind numbing guhb'mentese. It's geared more towards hardware based designs as opposed to software. 140-3 is going to be much better, but it's not great. Algorithms like AES256 are a good start, but there's definitely better encryption out there. The good thing is that a great deal of really smart people work on encryption products. With the kind of money that just one or two government purchases can bring, those who are certified early will make beaucoup bucks.

There are already look to be 3 or 4 products (http://csrc.ncsl.nist.gov/cryptval/140-1/140val-a ll.htm) that are FIPS certified, but I'm not sure if they meet the EAL 3 requirements. Expect to see more of these mandates for all kinds of things from networking, to the new PIV project http://csrc.nist.gov/piv-program/index.html. Actually, I'm kind of suprised that FDE doesn't specifically require PIV for it's user authentication. That's the problem with government projects like these, too many cooks and not enough kitchen. :)

The federal government has used certification programs like FIPS, Common Criteria, and others to give agencies choices in what they can buy to improve their own security. However the biggest problem is that most branches don't take advantage of the technology because either they don't want to fund it, or don't understand the importance of how vulnerable they may be. Some parts of the government are ridiculously advanced with their security standards and practices, but it's absolutely woeful how other departments lag behind, like Education, HUD, and others.

What really needs to be done is something more streamlined and efficient to get technology certified faster and according to the right standards. Take a look at the FIPS 140-2 standard if you can survive the mind numbing guhb'mentese. It's geared more towards hardware based designs as opposed to software. 140-3 is going to be much better, but it's not great. Algorithms like AES256 are a good start, but there's definitely better encryption out there. The good thing is that a great deal of really smart people work on encryption products. With the kind of money that just one or two government purchases can bring, those who are certified early will make beaucoup bucks.

There are already look to be 3 or 4 products (http://csrc.ncsl.nist.gov/cryptval/140-1/140val-a ll.htm) that are FIPS certified, but I'm not sure if they meet the EAL 3 requirements. Expect to see more of these mandates for all kinds of things from networking, to the new PIV project http://csrc.nist.gov/piv-program/index.html. Actually, I'm kind of suprised that FDE doesn't specifically require PIV for it's user authentication. That's the problem with government projects like these, too many cooks and not enough kitchen. :)

The federal government has used certification programs like FIPS, Common Criteria, and others to give agencies choices in what they can buy to improve their own security. However the biggest problem is that most branches don't take advantage of the technology because either they don't want to fund it, or don't understand the importance of how vulnerable they may be. Some parts of the government are ridiculously advanced with their security standards and practices, but it's absolutely woeful how other departments lag behind, like Education, HUD, and others.

What really needs to be done is something more streamlined and efficient to get technology certified faster and according to the right standards. Take a look at the FIPS 140-2 standard if you can survive the mind numbing guhb'mentese. It's geared more towards hardware based designs as opposed to software. 140-3 is going to be much better, but it's not great. Algorithms like AES256 are a good start, but there's definitely better encryption out there. The good thing is that a great deal of really smart people work on encryption products. With the kind of money that just one or two government purchases can bring, those who are certified early will make beaucoup bucks.

There are already look to be 3 or 4 products (http://csrc.ncsl.nist.gov/cryptval/140-1/140val-a ll.htm) that are FIPS certified, but I'm not sure if they meet the EAL 3 requirements. Expect to see more of these mandates for all kinds of things from networking, to the new PIV project http://csrc.nist.gov/piv-program/index.html. Actually, I'm kind of suprised that FDE doesn't specifically require PIV for it's user authentication. That's the problem with government projects like these, too many cooks and not enough kitchen. :)

There is hardly enough valid opinion in the comment to mod it 5 insightful so I suspect copious amounts of Microsoft FUD at least from the moderators.

Let's examine it carefully.

"people" in general want to use whatever everyone else is using
Yup. And that's why the killer linux desktop app will make people switch. When it fulfills a need that their current desktop doesn't then they'll switch. Look at Apple. They are hardly winning the war despite having the vastly superior OS.

a. Exchange replacement
This one is right. There's no 1-for-1 replacement and Outlook makes this extremely difficult to do anyway.

. Policy management like Active Directory
This is wrong. Horribly so. As someone that deals with policy objects every day they are a nasty hack. I can do the same thing a couple of different ways in Linux where someone else can come along and figure out what I did easily. Active directory? Not so much.

Microsoft compatibility
Clearly you have never dealt directly with Microsoft. Please don't make such foolish statements. Microsoft doesn't want it to happen.

Security updates that really are without question
Sadly, you aren't kidding and you must like Microsoft's update routine. As a system administrator I WANT to know if the update is replacing a critical file and any sysadmin worth half her salary will want the same thing.

Educational Facilities
These comments clearly show complete ignorance when it comes to abusive Microsoft licensing practices. Please don't comment so authoritatively on something you know nothing about.

More shades between "root" and "user".
This one is particularly humorous. There are many, many ways to do this. If you are too lazy to edit a sudo file, then this http://csrc.nist.gov/rbac/ won't do you any good either.

Somewhere to put "common documents
I don't know what the hell this is about but it sounds like you are just too lazy to do it because it's not hard.

Regardless, whether or not anyone did cheat is not even the question. The fact that someone COULD cheat (and easily too) should be enough to do something about it.

BTW, Brit Williams seems to be deep inside the voting industry already, see eg. here. He has also helped "certify" Diebold equipment in the past, according to this.

Well how bout email campaign.
Here:
bwilliam AT kennesaw DOT edu
from here:
http://vote.nist.gov/bios/williams.htm

I'm sure as hell emailing the dumbshit.

Tell Brit Williams how you feel. His email is on that page.

morality is a universal constant Universal constant? I do not think it means what you think it means ;)

All joking aside, it's hard to imagine how you could justify claiming that morality is a universal constant. You defined morality as "what is right". But what is right? And is "what is right" a universal constant? In this case, your addition of a level of indirection hasn't contributed anything.

With respect to a given action, you and I may disagree what is right. So, what is right is not universal in that respect. Aha!, you say, but for an individual, what is right with respect to a given action is universal. Yet, over time, an individual may change his mind as to whether a given action is right. So, what is right is not universal in that respect either. Finally, we may disagree over the very meaning of right and likewise, you yourself may change your mind as to the meaning of right.

Real link to NIST summary (and pic)

It's likely that the "treap" data structure is prior art. And it's more interesting than the linked lists case.

See a brief description here: Paul E. Black, "treap", in Dictionary of Algorithms and Data Structures [online], Paul E. Black, ed., U.S. National Institute of Standards and Technology. 12 September 2005. (accessed TODAY) Available from: http://www.nist.gov/dads/HTML/treap.html

Treaps were introduced by Seidel and Aragon at the FOCS conference in 1989.

Standard mass produced CDs will last a maximum of 33 years. I recall reading of outgassing at the foil-polycarbonate interface.

More detailed thoughts on the subject:

http://www.clir.org/PUBS/reports/pub121/sec4.html

http://hardware.slashdot.org/article.pl?sid=05/02/ 05/0024258&tid=198

http://www.itl.nist.gov/div895/gipwg/StabilityStud y.pdf [PDF]

http://www.jts2004.org/english/proceedings/Carou.h tm

http://www.mscience.com/longev.html

And the Google search that lead to these links:

http://www.google.com/search?q=CD+degradation

No, 3DES (Triple-DES, aka TDES) has not been broken. In fact, NIST says 2-key 3DES (using three 8-byte keys where the first and third ones are identical) is fine until after 2010. 3-key 3DES - using three independent 8-byte keys - is rated to be fine until 2030. (See the table describing this on page 66 of NIST SP800-57 Part 1, which you can find at http://csrc.nist.gov/publications/nistpubs/800-57/ SP800-57-Part1.pdf) While the end of life is in sight for 3DES, it won't arrive for a while. People often get confused because single-DES, which uses just a single 8-byte key, can be broken now by exhaustive search of the keys until you find the right one.

I'm using a WWVB radiop controlled alarm clock. MST/MDT conversions are made when Big Brother says to do it. Likewise, running nisttime daily keeps the computers on schedule. If you NIST says it's daylight savings time, it's daylight savings time.

Most atomic clocks don't have rules for when to switch to DST. They just use the code from the time from NIST, which includes a flag to indicate whether DST is in effect or not. As long as NIST changes when they include the DST flag, Atomic clocks should switch to DST on the correct day.

sort of like how the 9/11 World Trade Center conspiracy theories have been debunked so many times, yet many people continue to believe they were controlled demolitions

Really? Someone has PROVEN that the buildings (especially including WTC7) could NOT have come down by controlled demolition? I must've missed that. (BTW, if you claim "you can't prove a negative" I will ask how you can claim this is debunked then?) It is also a fact that there have been no successful (published) models demonstrating the plausibility of the "official" collapse theory. (Oh wait, NIST claims to have computer models. For some reason we can't see them). The "pancake collapse" theory is a total joke, even the latest NIST report is backpedalling and admits that the pancake theory is unsupportable ("NIST's findings do not support the "pancake theory" of collapse", Source). So what are we to make of all the "experts" supporting the pancake collapse for the last five years?

But you know what? The whole "controlled demo" angle is a trap (Mike Ruppert, former NARC, has been saying this since 2001). The physical evidence was deliberately (and illegally) destroyed, making a conclusive forensic study impossible, so these arguments are doomed to go in circles endlessly.

But there's a lot of other stuff we can look at...

• Fact: Multiple top-secret wargames were being run on 9/11 which eerily mirrored (read: to an extent impossible to ascribe to chance) the hijackings of the day (same thing happened for London's 7/7, lookup "Ludicrous Diversion" video), which prevented an adequate military response due to confusion and diverted fighter resources. The existence of these wargames has been confirmed by Richard Clarke, Gen Richard Myers, and more recently by Sgt Lauro Chavez who was an eyewitness at CENTCOM that day.
• Fact: The finance trail for 9/11 leads to the Pakistani ISI, which is practically a branch of the CIA. Guess who trained and financed Osama and his mujahadeen against the Soviets in the 80's?
• Fact: There was extensive insider trading preceding 9/11, which has been shown to have ties to the CIA.
• Fact: The Secret Service allowed the President to remain in a public, indefensible location for 26 minutes after the 2nd plane had crashed and it was obvious the country was under co-ordinated attack. This indicates either mind-blowing incompetance at their primary job function, or inside knowledge that Bush wasn't really in danger.
• Fact: Bush and Co. actively tried to prevent a 9/11 investigation, then tried to get HENRY FUCKING KISSINGER to lead it, then made Philip "I Wrote a Book With Condi Rice" Zelikow the Executive Director (the guy most responsible for the final shape of the report), then completely underfunded the commission.
• Fact: John O'Neil, former deputy director of FBI, said "The main obstacles to investigate Islamic terrorism were US oil corporate interests, and the role played by Saudi Arabia in it"

It doesn't take a genius, and you don't even have to look at any of the (admittedly, highly speculative and often flawed) "controlled demo" or "no plane" theories.

It amazes me the number of people who recognize that the US is sliding towards fascism, but refuse to believe that the govt pulled off its own Reichstag. History is filled with false flag ops, look at the Gulf of Tonkin incident as one example. And spare me the tired "1000's would've had to know about this, why has nobody spoken up?". Military black-ops are compartmentalized for a reason, only key people at the top see the real picture. Actual whistleblowers (eg, Sibel Edmonds) are systematically marginalized; the MSM is no longer a free press (now ranked 53rd in the world!).

The govt. either knew this was coming and let it, or was actively involved in executing it, and they have d

I'll correct myself...for conspiracy nutcases, no evidence will EVER change your mind... already, you set some arbitrary standard that somebody has to create some "collapsing model" of a 110 story building, built in the early seventies and have a fully fueled commercial airliner crash into in at a certain height and then see if it actually collapses... that is the only evidence that you claim would change your mind... but then you assert that you are surprised that because noone has taken the million dollar prize then this proves that the buildings did not collapse as reported by the government investigation... you are basing your whole conspiracy theory on the premise that if someone cannot, or has not, created a model, then a conspiracy demolition brought it down... of course, no government report would convince you because conspiracist dismiss anything from the government as biased... and anybody else that comes out with any evidence that exposes any conspiracy theories as wrong... then your response is that people like that must either be blackmailed into supporting the government's theory or they are in on it...

Hell, I still see nutcase conspiracist that still think the Oklahoma bombing was the work of the government... despite the fact that McVeigh admitted to it

The definition of the kilogram was originally made in terms of a particular volume of water, but was later changed to the weight of a particluar ingot of irridium-platinum.

In case anyone cares to actually LEARN what it is rather than just ramble on about how horrible the world is:

http://csrc.nist.gov/piv-program/index.html

It's a very sensible document (and HSPD12 is just the mandate, FIPS201 is the implementation). All it does (ALL) is say "agencies need to have a process in place to make sure Joe is Joe, and they need to give him a card that says he's Joe, and it needs to look like this."

It doesn't actually go further than that. It outlines an interoperable infrastructure based on dirt simple, well understood, highly tested smart card stock, lays out minimum requirements for readers, and puts a system certification process in place. The "tech" part of this is really quite simple and boring for anyone who's spent more than 10 minutes thinking about PKI or smartcards.

The much much more important part of this is the credentialling part (PIV-1) which has been in place for a year. This establishes clear lines of responsibility and clear processes for actually establishing that Joe is Joe, and at least an attempt to make sure that, say, the Defense Manpower Data Center is using the same process as the Janitor's closet in the Department of Education. This is a GOOD THING people. It's about breaking down silos and creating (gasp) an open standard for strong(er) authentication.

That's right folks, an open interoperability standard sponsored by the US of A. Wanna make sure your corporate ID is just a wee bit futureproof? Read the FIPS201 docs and mimic the data model and tech requirements.

OK, back to the sarcasm laced punditry. Thank's for playing.

i didn't have any trouble finding a variety of resources that answer your questions using google.
why are you asking slashdot ?

in particular, this looks interesting: http://www.csse.uwa.edu.au/~pk/studentprojects/lib or/
as did this: http://www.itl.nist.gov/iad/894.03/nigos/mbark.htm l

If your main interest is the simulation of unreliable networks, maybe nistnet may help you. It supports packet delays, max. bandwidth and package dropping and duplication (no firewall though, although setting up a minimal debian installation with iptables is not hard). It can be configured using the GUI or the CLI.

Impressive! This could be very useful in a lot of situations.. Keeping in mind that this is the very generation, there could very well be later generations that could map rooms in mere minutes, and then other ones to map rubble in minutes.. then when disaster strikes, in goes the robots to map stuff out, and people to follow.

Actually, the current technology is quite capable of mapping a room in a few seconds - essentially as fast as you can drive a robot through the room with line of sight to all the corners. The application described in TFA is nothing more than a commercialised version of technology that has been around for years.

It is also currently possible to generate a 3D map of a complex environment (such as a pile of rubble). Have a look at Kurt3D, which maps using a laser scanner on a tilting or rotating mount. You can also use an infrared time-of-flight sensor such as the SwissRanger to generate the same sort of datasets.

It's interesting that you should mention the Search and Rescue application. There are numerous robotics groups around the world working on this problem, and testing solutions in the RoboCup Rescue competition, which has been running since 2000. Almost every team in this competition has some sort of automatic mapping technology akin to that desrcibed in TFA. Several also have 3D mapping, and there is also a lot of interesting work going on in user interfaces and remote control, as well as autonomous navigation, exploration, victim identification and decision making.

"You assume the best technical solutions always win."

No I've argued the exact opposite. What are you thinking?

"Consistent and coherent, with a clear structure of basic and constructed units;"

Yes, aesthetically pleasing. So what?

"No weird double-naming for units of the same type, like gallons/fluid ounces; in the case of litres, it's just a dm^3."

There's no "double-naming" in the imperial system. You're arguing conversion factors.

"Globalisation: the rest of the world (except Liberia and Jamaica, I think) uses metric for everything."

Not true, but so what? If there was an economic hardship then the conversion would happen. That's actually the plan.

"Simple conversion factors: you need only to move the point and/or add zeroes, you do not need multiplication."

Yes, logical and aesthetically pleasing. So what? Rarely does the average consumer need to do conversions. Meaningless to engineers since they're free to use metric if they want except where metric is mandated (and it is in some cases).

"Context-independent: for some reason, nutritionists used "great calories", physicists used ergs, chemists "small calories", engineers BTUs. Everybody using the joule and its multiples is much simpler."

Ah, back to conversions again. What does this mean to the average American? How often do nutritionists talk to physicists? Conversions are not a concern to the general population.

"Just because Esperanto (or Spanish for that matter) is simpler and less dyslexia-inducing than English, does not mean you can start talking it yourself and expect it to take on. Some decisions have to be taken top-down, or people will just maintain the status quo because they cannot do otherwise."

The metric system offers about as much benefit to the typical American as Esperanto does. That's why both are ignored.

Just because a technically superior system exists doesn't mean that it offers real benefits. Human language, to take your example, is inefficient and can be easily improved upon yet I don't see anyone, especially the French, arguing to discard what they already speak.

http://ts.nist.gov/ts/htdocs/200/202/lc1136a.htm

This article presents a brief history of metric conversion in the US. Some quotes:

"The efforts of the Metric Board were largely ignored by the American public...Due to this apparent ineffectiveness, and in an effort to reduce Federal spending, the Metric Board was disestablished in the fall of 1982."

Metric conversion failed in the US because the public didn't want it and the cost wasn't justified.

"Congress, recognizing the necessity of the United States' conformance with international standards for trade, included new encouragement for U.S. industrial metrication in the Omnibus Trade and Competitiveness Act of 1988. ...Federal agencies were required by this legislation, with certain exceptions, to use the metric system in their procurement, grants and other business-related activities by the end of 1992. While not mandating metric use in the private sector, the Federal Government has sought to serve as a catalyst in the metric conversion of the country's trade, industry, and commerce."

The US government's approach on metric conversion is to allow it to proceed naturally at its own pace. The belief is that economic benefits will eventually cause the conversion to occur. Frankly, that alone is proof of my position. Once the benefits truly exist then metric will be used. I doubt anyone would argue with me on the matter if they were alive in 1975 to see the wasted money and effort. All we got out of the deal was liter bottles of Coke instead of quarts.

In other news, IBM uses scanning tunneling microscope to build world's smallest violin, plays it for Hastert and co.

This is government work. Nothing's being produced, only consumed.

Lynx has an exploit of it's own: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2004-1617

The method I learned in school was this one; we had a sixth grade math teacher that used to refuse to allow us to use calculators, so we had to solve square roots by hand and such. There's a similar method for cube roots as well. Linkage: http://www.nist.gov/dads/HTML/squareRoot.html.

You illustrate my point - see some of the other comments I've replied to. CBC is hard to use correctly because the IVs have to be unpredictable to the attacker. CTR mode is generally a much better idea. Better yet, use EAX or GCM modes, which provide authentication as well as encryption. Frankly I'm sorry to hear that RFCs that propose using CBC mode with AES are being published; I know of no genuine advantage it offers over CTR mode. See

http://csrc.nist.gov/encryption/modes/workshop1/pa pers/lipmaa-ctr.pdf

It appears that they are: http://csrc.nist.gov/cryptval/140-1/140crt/140crt5 22.pdf

http://cs-www.ncsl.nist.gov/cryptval/aes/aesval.ht ml
NIST maintains a list of those who passed the tests successfuly, and were certified to use AES in their products.
So, besides making sure that all the things mentioned by the parent were done right, check out whether the algorithm itself was properly implemented.

If you are truly concerned about the validity of cryptography provided by the vendor, then try to find products that have been certified under the FIPS 140-2 standard. The only problem might be that a lot of those products are usually commercial grade items meant for use by government agencies; however, some of the items that have received approval are reasonably available to consumers. The products are reviewed by independent labs, and then the CMVP reviews the labs results. (The site was down earlier this morning.)

These products have been reviewed by independent labs, who review their implementation to verify that cryptographic mechanisms are implemented properly. This includes reviewing source code and/or hardware designs. Just a thought for anyone who is truly concerned that their hardware or software be compliant. (Note: If you want a "secure" operating system, look into CC Evaluation.)

First of all, you can't flatly blame the scripting language for the deficiencies of the hosting environment.

• tables in Safari
• CSS in Firefox
• JPEGs in Opera
• gasp URLs in MSIE

Even lynx isn't safe .

I can only assume that you access Slashdot using nothing more than a telnet client and rendering the HTML with your mind, because those web browsers, well, like you said, they make surfing teh intarweb "like inviting a stranger from an L.A. street into your car or home. You never know what you're getting every time you click a link[...]. I don't like to play russian roulette."

First of all, you can't flatly blame the scripting language for the deficiencies of the hosting environment.

• tables in Safari
• CSS in Firefox
• JPEGs in Opera
• gasp URLs in MSIE

Even lynx isn't safe .

I can only assume that you access Slashdot using nothing more than a telnet client and rendering the HTML with your mind, because those web browsers, well, like you said, they make surfing teh intarweb "like inviting a stranger from an L.A. street into your car or home. You never know what you're getting every time you click a link[...]. I don't like to play russian roulette."